If you wish to run local web services, such as CalDAV, CardDAV, WebDAV, websites, etc., you may want to connect over SSL. Here are instructions on how to generate self-signed SSL certificates, on Mac OS X that have the CA flag set to TRUE, and which will be accepted my Android devices (which are particularly fussy about how an SSL certificate is cooked up).

As a give-my-private-data-to-questionable-private-cloud-service-companies non-believer, I run my own cloud and sync services locally. Three very handy services are CalDAV, CardDAV, and WebDAV (for sharing and syncing calendars, contacts, and files, respectively), all of which I can run locally on Mac OS X. This allows me to sync my OmniFocus data locally with Android devices, and to sync my contacts and calendars. The one catch is that I want to do all my syncing over encrypted SSL connections. That should be easy, and yet it’s taken me a great many hours to figure out.

The Challenge

The challenge is that although Mac OS X can generate self-signed SSL certificates fairly easily, it does not include a CA (certificate authority) flag in the certificate. For Android devices this flag needs to exist, and be set to True. After spending countless hours reading over forums where those before me had spent countless hours, and days, trying to generate a CA flagged True SSL certificate, and was about to throw in the towel. I have, however, stumbled upon the solution.

The Solution

1. Install OpenSSL

First off, if you have not already done so, you will need to install OpenSSL. If you have the package manager Homebrew installed, you can install OpenSSL with the following command:

Otherwise, you’ll need to follow the instructions provided here. Or install Homebrew (it’s very handy), and then use it to install OpenSSL.

To install Homebrew, it’s as simple as running the following command in Terminal:

2. Set your system up for generating SSL and CA

  • Create a directory in your home folder (or wherever else makes sense to you) called something like SSL. For instance, ~/SSL will do the trick. In Finder just hit ⇧⌘-G, and type in ~/
    That will take you to your home directory. Now create a new folder called something like SSL. In all the following instructions I will assume you create a directory at ~/SSL

In terminal type in: cd ~/ssl

  • In Terminal or in Finder (whichever you’re familiar with) create a text file in that folder and call it ca.cnf

Put the following in that file:

  • You might want to make some changes to this file. For instance you can change the default expiry of your certificates. Look for the parameter default_days = 365 and set that to however many days you want. Also, look for # EDIT THESE near the end of the file, and change those parameters to whatever works for you.
  • You need to set up the directories for your CA system to function within. Issue each of the following commands in Terminal:

3. Generate your CA

Use the following command in Terminal:

You will be asked for some information about the CA organisation. Enter something meaningful.
When that’s done, you should have a couple of new files:  ~/ssl/mypersonalca/certs/ca.pem and ~/ssl/mypersonalca/private/ca.key.

You should keep the ca.key file secret. This is not for public exposure. The ca.pem file is the one that goes public. This is the public certificate for your newly created Certificate Authority (CA). You can import that into your browser, and devices that you want to automatically trust your self-signed SSL certificates. There is, however, an additional step for using in on Android devices. We’ll cover that in a moment.

4. Generate your self-signed SSL certificate

Here we have two steps. First you create the SSL certificate, and next you certify it with your CA.

  • Use the following command to generate your 1024-bit private certificate:

You will be asked similar questions as those you were asked previously when generation the CA. Use meaningful information, as this is what you, and other people (depending on your usage scenario) will see when asked to trust the certificate.
IMPORTANT: The most important detail you will be asked for is the Common name. This should be the domain name or host identifier you are planning to use this certificate on. Something like, mydomain.com or mymac.local or even localhost (that might work, but I can’t say for sure). You can also use a wild-card, like *.mydomain.com

Now you need to sign your new SSL with your CA. Use the following command:

If you ever need to view the text contents of this file, or make a record of them somewhere, use this command:

5. Preparing your CA for Android

Android does not import ca.pem files. You need to convert them into a binary file format. To do this, use the following commands:

If you have your device plugged in and ready for DBA mode transfers, you can use the following command to push the file to your device:

If you have a different path to your device storage, change that command accordingly. Otherwise, in my case I use BitTorrent Sync. So I just drag that CA.crt file into one of the folders that sync to my Android devices, and it automagically makes its way there in a few seconds (assuming BitTorrent Sync is active on each device in that moment).

Once done, you will be able to tell Android to install the CA file via Settings -> Security -> Credential Storage and selecting “Install from storage”, and then follow the prompts.

Image Alt
Image and Android instructions courtesy of Jethro Carr

Importing the CA that is already installed on a server

If you have already installed your SSL on a server, you can fetch it into Android using a neat little app call CADroid

Another option is to browse on your Android web browser to RealmB’s Android Certificate Installer and follow the instructions there. It provides a web page which you can upload the ca.pem file to, and it will install it on your device. I’ve not tried it, but I hear it works well.